VYPR

apk package

wolfi/sonarqube

pkg:apk/wolfi/sonarqube

Vulnerabilities (26)

  • CVE-2026-42198HigApr 29, 2026
    affected < 26.4.0.121862-r1fixed 26.4.0.121862-r1

    pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to a client-side denial of service during SCRAM-SHA-256 authentication. A malicious server can instruct the driver to perform SCRAM authentication with a very larg

  • CVE-2026-5598HigApr 15, 2026
    affected < 26.6.0.123539-r0fixed 26.6.0.123539-r0

    Covert timing channel vulnerability in Legion of the Bouncy Castle Inc. BC-JAVA core on all (core modules). This vulnerability is associated with program files FrodoEngine.Java. This issue affects BC-JAVA: from 1.71 before 1.80.2, from 1.81 before 1.81.1, from 1.82 before 1.

  • CVE-2026-29062Mar 6, 2026
    affected < 26.2.0.119303-r1fixed 26.2.0.119303-r1

    jackson-core contains core low-level incremental ("streaming") parser and generator abstractions used by Jackson Data Processor. From version 3.0.0 to before version 3.1.0, the UTF8DataInputJsonParser, which is used when parsing from a java.io.DataInput source, bypasses the maxNe

  • CVE-2026-1225LowJan 22, 2026
    affected < 26.1.0.118079-r2fixed 26.1.0.118079-r2

    ACE vulnerability in configuration file processing by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file. The instanti

  • CVE-2025-68390Dec 18, 2025
    affected < 25.12.0.117093-r0fixed 25.12.0.117093-r0

    Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow an authenticated user with snapshot restore privileges to cause Excessive Allocation (CAPEC-130) of memory and a denial of service (DoS) via crafted HTTP request.

  • CVE-2025-68384Dec 18, 2025
    affected < 25.12.0.117093-r2fixed 25.12.0.117093-r2

    Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) causing a persistent denial of service (OOM crash) via submission of oversized user settings data.

  • CVE-2025-67735Dec 16, 2025
    affected < 26.2.0.119303-r2fixed 26.2.0.119303-r2

    Netty is an asynchronous, event-driven network application framework. In versions prior to 4.1.129.Final and 4.2.8.Final, the `io.netty.handler.codec.http.HttpRequestEncoder` has a CRLF injection with the request URI when constructing a request. This leads to request smuggling wh

  • CVE-2025-37731Dec 15, 2025
    affected < 25.12.0.117093-r1fixed 25.12.0.117093-r1

    Improper Authentication in Elasticsearch PKI realm can lead to user impersonation via specially crafted client certificates. A malicious actor would need to have such a crafted client certificate signed by a legitimate, trusted Certificate Authority.

  • CVE-2025-66566HigDec 5, 2025
    affected < 26.2.0.119303-r2fixed 26.2.0.119303-r2

    yawkat LZ4 Java provides LZ4 compression for Java. Insufficient clearing of the output buffer in Java-based decompressor implementations in lz4-java 1.10.0 and earlier allows remote attackers to read previous buffer contents via crafted compressed input. In applications where the

  • CVE-2025-59250Oct 14, 2025
    affected < 0fixed 0

    Improper input validation in JDBC Driver for SQL Server allows an unauthorized attacker to perform spoofing over a network.

  • CVE-2025-11226MedOct 1, 2025
    affected < 25.11.0.114957-r0fixed 25.11.0.114957-r0

    ACE vulnerability in conditional configuration file processing by QOS.CH logback-core up to and including version 1.5.18 in Java applications, allows an attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an environment varia

  • CVE-2025-58057Sep 3, 2025
    affected < 25.12.0.117093-r1fixed 25.12.0.117093-r1

    Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In netty-codec-compression versions 4.1.124.Final and below, and netty-codec versions 4.2.4.Final and below, when supplied with s

  • CVE-2025-58056Sep 3, 2025
    affected < 25.12.0.117093-r1fixed 25.12.0.117093-r1

    Netty is an asynchronous event-driven network application framework for development of maintainable high performance protocol servers and clients. In versions 4.1.124.Final, and 4.2.0.Alpha3 through 4.2.4.Final, Netty incorrectly accepts standalone newline characters (LF) as a ch

  • CVE-2025-55163Aug 13, 2025
    affected < 25.12.0.117093-r1fixed 25.12.0.117093-r1

    Netty is an asynchronous, event-driven network application framework. Prior to versions 4.1.124.Final and 4.2.4.Final, Netty is vulnerable to MadeYouReset DDoS. This is a logical vulnerability in the HTTP/2 protocol, that uses malformed HTTP/2 control frames in order to break the

  • CVE-2025-48734May 28, 2025
    affected < 25.12.0.117093-r0fixed 25.12.0.117093-r0

    Improper Access Control vulnerability in Apache Commons. A special BeanIntrospector class was added in version 1.9.2. This can be used to stop attackers from using the declared class property of Java enum objects to get access to the classloader. However this protection was no

  • CVE-2025-25193Feb 10, 2025
    affected < 0fixed 0

    Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts

  • CVE-2024-57699HigFeb 5, 2025
    affected < 25.10.0.114319-r0fixed 25.10.0.114319-r0

    A security issue was found in Netplex Json-smart 2.5.0 through 2.5.1. When loading a specially crafted JSON input, containing a large number of ’{’, a stack exhaustion can be trigger, which could allow an attacker to cause a Denial of Service (DoS). This issue exists because of a

  • CVE-2024-12801LowDec 19, 2024
    affected < 25.6.0.109173-r0fixed 25.6.0.109173-r0

    Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback version 0.1 to 1.3.14 and 1.4.0 to 1.5.12  on the Java platform, allows an attacker to forge requests by compromising logback configuration files in XML. The attacks involves the modification of DOCTYPE

  • CVE-2024-12798MedDec 19, 2024
    affected < 25.6.0.109173-r0fixed 25.6.0.109173-r0

    ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core upto including version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 in Java applications allows attacker to execute arbitrary code by compromising an existing logback configuration file or by injecting an en

  • CVE-2024-47535Nov 12, 2024
    affected < 25.6.0.109173-r0fixed 25.6.0.109173-r0

    Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application

Page 1 of 2